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1. Introduction 


This report summarizes research performed under NASA Contract NSR-05-020-500 in the period 
1970 December IS to 1973 April 3. The primary products of this work have already been published 
(Appendices A and B). Accomplishments under this contract can best be understood in terms of 
antecedent work. 


2. Early Work 

The idea that computer scientists should study computations themselves rather then just the 
notion of computability (i.e. recursion theory) was suggested in 1963 by McCarthy [1,2]. These 
early papers suggested that mathematical methods could be used to prove (or disprove) the 
following properties of programs: 

1. a program is correct, 

2. a program terminates, 

two programs are equivalent, 

4 . a translation procedure between two languages is correct, (i.e. it preserves the meaning of 

a program), 

5. optimized programs are equivalent to the original, 

6. one program uses less resources than another and is. therefore more efficient. 

These are simply technical descriptions of a programed day to day problems. The notion of 
correctness of a program is just - how do we know that a particular program solves the problem 
that it was intended to. The usual way of putting it is: "Does my program have bugs in it”. A 
correct mathematical description of what this means is a central problem in MTC and is a 
genuine first step in any attempt to. mechanize the debugging of programs. The equivalence of 
programs is similar in that until there are clear ways of describing what a program does, saying 
that they "do" the same thing is impossible. These technical problems are now well enough 
understood so that serious attempts to apply the results to "real” programs are beginning. 
Attempts to formalize these questions have proceeded along several lines simultaneously. In [4,6] 
McCarthy and Mansfield discussed new languages for expressing these notions were considered. 
[ i] considered a first order logic which contained an "undefined" truth-value. This was one way 
of explaining what was meant by computations which didn’t terminate. [5] used a traditional first 
order logic to describe a subset of ALGOL. 

in [?] McCarthy proposed that computers themselves might be used to check the correctness of 
proofs in formal systems, and was the first to actually construct a program to carry this out. This 
suggests that one could check or possibly look for solutions to the above problems (in the form of 
proofs in some formal system). As a result a series of proof checkers has been built. The first is 
reported in [7]. 

In 196C> I'loyd [S] published his now well known method of assigning assertions to the paths in a 
flowchart, in order to find verification conditions the truth of which guarantee the "correctness" of 
the original program. 
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McCarthy, Painter and Kaplan [9,10,11,12.13,14] used the ideas in [4,8] to prove: 

1) the correctness of a compiler for arithmetic expressions, 

2) i he correctness of several compilers for algol-like programs, 

3) the equivalence of some algorithms. 

Kaplan also gave some completeness results for a forma] system which talks about assignment 
statements [10], and discussed the equivalence of programs [13,14]. During this time another proof 
checker was written by W. Wether [15], 

In a series of articles Z. Manna extended and expanded Floyd's original ideas. With A. Pneulli 
[16.17] lie discussed the relationship between the termination, correctness and equivalence of 
recursively defined functions and the satisfiability (or unsatisfiability) of certain first order 
formulas. In [17] they work out an example using the 91 function. In [18] Manna extended his 
ideas to non-dererministic programs. E. Ashcroft and he did a similar thing for parallel programs 
in [21]. 

P, Hayes [IS] again attacked the problem of a three-valued predicate logic, this time with a 
machine implementation in mind. This coincided with a paper of Manna and McCarthy [19], 
which used this logic. 

About this time ( 1969 ) several important developments occurred which allowed the above 
questions to be reexamined from different points of view. 

1. In [22] Z. Manna showed how to formulate the notion of partial 
correctness in second logic. 

2. C. A. R . Hoare [24] published a paper describing a new formalism 

for expressing the meanings of programs in terms of input/output relations. 

3. S. lgarashi [23] gave an axiomatic description of an ALGOL-like 
la ngu age. 

4. D. Scott suggested using the typed lambda calculus for studying 

MTC and first described IN 1970 a mathematical model of Church’s lambda 

calculus. 

These tngerher with McCarthy’s axiomatic approach now represent the most important directions 
in MTC. research. They express different points of view towards the meanings (or semantics) of 

programs. 
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3. Research Performed under this Contract 


By the beginning of the contract period (December 1970), Mathematical Theory of Computation 
had become quite a lively field. Research performed under this contract cannot be cleanly 
separated from other concurrent work at Stanford (mainly by Edward Ashcroft, Ashok Chandra, 
Robert Floyd, Shigem Igarashi, and Ralph London), or from work elsewhere. Instead, we simply 
summarize recent progress, with a note that the following persons received at least part of. their 
support from the subject contract: jack Buchanan, John McCarthy, Zohar Manna, Robin Milner, 
and Richard Weyhrauch. 

Manna (following Floyd) describes the effects of a program by showing, what kinds of relations 
must hold among the values of the program variables at different points in the execution pf the 
program. In particular between the input and the output. In [31] Floyd suggests an interactive 
system for designing correct programs. These ideas are systematized and expanded by Manna in 
[34]. He and Ashcroft show how to remove GOTO statements from programs and replace them 
by WHILE statements in [33]. 

Hoarc shows how properties (including the meaning) .of a program can be expressed as rules of 
inference m his formal system and how these rules can be used to generate the relations described 
by Floyd and Manna. This puts their approach in a formal setting suitable for treatment on a 
computer. Work on this formal system is at present being aggressively pursued. Igarashi, London, 
and l.urkham have increased the scope of the original rules and have programed a system called 
VCC (tor verification condition generator) which takes PASCAL programs together with 
assertions assigned to loops in the program and uses the Hoare rules to automatically generate 
.Edification conditions the proof of which guarantee the correctness of the original program. 
These sentences are then given to a resolution theorem prover[26] which tries to prove them. 
There is also a project started by Suzuki under the direction of Luckham.to develop. programs to 
take account of particular properties of arithmetic and arrays when trying to prove the 
verification conditions. London also produced an informal proof of two lisp compiler [35] 
Igarashi’s formal system [23] differs from Hoare's in that the rules of inference act directly on the 
programs themselves rather than properties of such programs. 

Scott's work assumes that the most suitable meaning for a program is the function which it 
computes anti essentially ignores how that computation proceeds. The other approaches are more 
intentional in that: . . 

1) they may not necessarily mention that function explicitly although it might appear 

implicitly. 

2) they can (and do) consider notions of meaning that are stronger than Scott’s. 

For example programs might have to have "similar" computation sequences before considering 
them equivalent^ 1 ]. 

A computer -program (LC.F for "logic for computable functions") has been implemented by 
Mi!ner[26]. This logic uses the typed lambda calculus to defines the semantics of programs. 
Exactly how to do this was worked out by Weyhrauch and Milner[28,29,30]. In conjunction 
Newcy worked on the axiomatization of arithmetic, finite sets, and lists in the LCF environment. 
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This work is still continuing. In addition Milner and Weyhrauch worked with Scott on an 
axiomatization of the type free lambda calculus. Much of this work was informally summarized 
in [32]. 

McCarthy attempts to give an axiomatic treatment to a programming language by describing its 
abstract syntax in first order logic and staling properties of the programming language directly as 
axioms. This approach has prompted Weyhrauch to begin the design of a new first order logic 
proof checker based on natural deduction. This proof checker is expected to incorporate the more 
interesting features of LCF and will draw heavily on the knowledge gained from using LCF to 
attempt to make the new first order proof checker a viable tool for use in proving properties of 
programs. 

This work is all being brought' together by projects that are still to a large extent unfinished. 
They include 

1) a new version of LCF including a facility to search for 
proofs automatically. 

2) the description of the language PASCAL in terms of both 
LCF and in first order logic (in the style of McCarthy) 

in order to have a realistic comparison between these 
approaches and that of Floyd, Hoare, et al. 

3) a continuation of Newey’s work. 

4) the discussion of LISP semantics in LCF and an attempt 
to prove the correctness of the London compilers in a 
formal way. This is also being done by Newey. 

5) the design of both special purpose and domain independent 
proving procedures specifically with program correctness 

in mind. 

6) the design of languages for describing such proof procedures 
• 7) the embedding of these ideas in the new first order checker.’ 

In addition to t he work described above, Ashcroft, Manna, and Pneuli[3$], and Chandra and 
Manna [37] have published results related to program schemas, 

Some of these references appeared both as A.I. memos and were later published in journals. In 
such cases both references appear in the bibliography. 
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3. Shmuel Katz and Zohar Manna, "A Heuristic Approach to Program Verification", Proceedings 
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August 1971 

4. Z. Manna (with R. Waldinger), "Toward Automatic Program Synthesis", Comm. ACM, 

March 1971. 

b. Z. Manna, "Mathematical Theory of Partial Correctness", J. Comp. & Sys. Sci., June 1971. 

6. 7. Manna. S. Ness, and J. Vulllemin, "Inductive Methods for Proving Properties' of 

Programs". ACM SIGPLAN Notices, Vol. 7, No. 4, January 1972. . : . 

7. Z, Manna and J. Vuillemiri, "Fixpoint Approach to the Theory of Computation", Comm. ACM, 

July 1972. ' 

5. Zohar Manna, "Program Schemas", in Currents in the Theory of Computing (A. V. Aho, Ed,), 

Prentice-Hall, Englewood Cliffs, N. J., 1973. 

9. Zohar Manna, Stephen Ness, Jean Vuillemin, "Inductive Methods for Proving Properties Of 

Programs", Comm. ACM, August 1973. ■ 

10. Zohar Manna, "Automatic Programming", Proceedings of the Third International Joint 

Conference on Artificial Intelligence, Stanford University, August 1973. 

II zohar Manna, INTRODUCTION TO MATHEMATICAL THEORY OF 
COMPUTATION. McGraw-Hill, New York, 1974. 
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Abstracts of research reports published by staff members who were supported by the subject 
contract are listed here. 


A1M-I3S, Edward Ashcroft and Zohar Manna, THE TRANSLATION OF ‘GO-TO’ 
PROGRAMS TO 'WHILE' PROGRAMS, January 1971, 28 pages. 

In this paper we show that every flowchart program can be written without ‘go-to’ statements by 
using 'while' statements. The main idea is to introduce new variables to preserve the values of 
certain variables at particular points in the program; or alternatively, to introduce special boolean 
variables to keep information about the course. of the computation. 

The 'while’ programs produced yield the same final results as the original flowchart program but 
need not perform computations in exactly the same way. However, the new programs preserve the 
'topology' of the original flowchart program, and are of the same order of efficiency. 

We also show that this cannot be done in general without adding variables. 

AIM-139. Zohar Manna, MATHEMATICAL THEORY OF PARTIAL CORRECTNESS, 
January 1971, 24 pages. 

In this work we show that it is possible to express most properties regularly observed in 
algorithms in terms of ‘partial correctness' (i.e., the property that the final results of the algorithm, 
if any. satisfy some given input-output relation). 

This result is of special interest since 'partial correctness 1 has already been formulated in predicate 
calculus and in partial function logic for many classes of algorithms. 

AIM-142, Robin Milner. AN ALGEBRAIC DEFINITION OF SIMULATION BETWEEN 
PROGRAMS, February 1971, 21 pages. 

A simulation relation between programs is defined which is quasi-ordering, Mutual simulation is 
then an equivalence relation, and by dividing out by it we abstract from a program such details 
as how the sequencing is controlled and how data is represented. The equivalence classes are 
approximations to the algorithms which are realized, or expressed, by their member programs. 

A technique is given and illustrated for proving simulation and equivalence of programs; there is 
an analogy with Floyd's technique for proving correctness of programs. Finally, necessary and 
sufficient conditions for simulation are given. 
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AIM-148, Edward Ashcroft, Zohar Manna, and Amir Pneuli, DECIDABLE PROPERTIES OF 
MONADIC FUNCTIONAL SCHEMAS, July 1971, 10 pages. 

We define a class of. (monadic) functional schemas which properly include Tanov’ flowchart 
schemas. We show that the termination, divergence and freedom problems for functional schemas 
are decidable. Although it is possible to translate a large class of non-free functional schemas into 
equivalent free functional schemas, we show that this cannot be done in general. We show also 
that the equivalence problem for free functional schemas is decidable. Most of the results are 
obtained from, well-known results in Formal Languages and Automata Theory. 


AIM-154, Zohar Manna, Stephen Ness and jean Vuillemin, INDUCTIVE METHODS FOR 
PROVING PROPERTIES OF PROGRAMS, November 1971, 24 pages. 

We have two main purposes in this paper. First, we clarify and extend known results about 
computation of recursive programs, emphasizing the difference between the theoretical and 
practical approaches. Secondly, we present and examine various known methods for proving 
properties of recursive programs. We discuss in detail two powerful inductive methods, 
computational induction and structural induction, illustrating their applications by various 
examples. Wc also briefly discuss some other related methods. 

Our aim in this work is to introduce inductive methods to as wide a class of readers as possible 
and to demonstrate their power as practical techniques. We ask the forgiveness of our more 
theoretical-minded colleagues for our occasional choice of clarity over precision. . 

AIM-158, Ashok Chandra, Zohar Manna, PROGRAM SCHEMAS WITH EQUALITY, 
December 1971, 13 pages. 

We discuss the class of program schemas augmented with equality tests, that is, tests of equality 
between terms. 

in the first part of the paper we illustrate the “power" of equality tests. It turns out that the class 
of program schemas with equality is more powerful than the maximal classes of schemas 
suggested by other investigators. 

In the second part of the paper, we discuss the decision problems of program schemas with 
equality. It is shown, for example, that while the decision problems normally considered for 
schemas (such as halting, divergence, equivalence, isomorphism and freedom) are decidable for 
lanov schemas. They all become undecidable if general equality tests are added. We suggest, 
however, limited' equality tests which can be added to certain subclasses of program schemas while 
preserving their solvable properties. 

AIM-163, J.M. Cadiou, RECURSIVE DEFINITIONS OF PARTIAL FUNCTIONS AND 
’ THEIR COMPUTATIONS, April 1972, 160 pages. 

A formal syntactic and semantic model is presented for ‘recursive definitions’ which are 
generalizations of those found in LISP, for example. Such recursive definitions can have two 
classes of fixpoints, the strong fixpoints and the weak fixpoints, and also possess a class of 
computed partial functions. 
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Relations between these classes are presented: fix points are shown to be extensions of computed 
functions. More precisely, strong fixpoints are shown to be extensions of computed functions 
when the computations may involve "call by name" substitutions; weak fixpoints are shown to be 
extensions of computed functions when the computation only involve "call by value" substitutions. 
The Church-Rosser property for recursive definitions with fixpoints also follows from these 
results. 

Then conditions are given on the recursive definitions to ensure that they possess least fixpoints 
(of both classes), and" computation rules are given for computing these two fixpoints: the "full" 
computation rule, which leads to the least weak fixpoint. A general class of computation rules, 
called 'safe innermost', also lead to the latter fixpoint. The "leftmost innermost" rule is a special 
case of those, .for the LISP recursive definitions. 

AIM-16*}, Zohur Manna and jean Vuillemin, FIXPOINT APPROACH TO THE THEORY OF 
COMPUTATION, April 1972, 29 pages. 

Following the fixpoint theory of Scott, we propose to define the semantics of computer programs 
in terms of the least fixpoints of recursive programs. This allows one not only to. justify all 
existing verification techniques, but also to extend them to handle various properties of computer 
programs, including correctness, termination and equivalence, in a uniform manner. 

AIM-169, Robin Milner, LOGIC FOR COMPUTABLE FUNCTIONS., DESCRIPTION OF A 
MACHINE IMPLEMENTATION, May 1972, 36 pages. 

This paper is primarily a user’s manual for LCF, a proof-checking program for a logic of 
computable functions proposed by Dana Scott in 1969, but unpublished by him. We use the name 
LCF also for the logic itself, which is presented at the start of the paper. The proof-checking 
program is designed to allow the. user interactively to generate formal proofs about computable 
functions and functionals over a variety of domains, including those of. interest to the computer 
seienlist-for example, integers, lists and computer programs and their semantics. The user’s task is 
alleviated by two features: a subgoaling facility and a powerful simplification mechanism. 
Applications include proofs of program correctness and in particular of compiler correctness; these 
applications are not discussed herein, but are illustrated in the papers referenced in the 
introduction. 

AIM -164, Malcolm Newcy, AXIOMS AND THEOREMS FOR INTEGERS, LISTS AND 
FINITE SETS IN LCF, January 1973, 53 pages. 

LCF (Logic for Computable Functions) is being promoted as a formal language suitable for the 
discussion of various problems in the Mathematical Theory of Computation (MTC). To this end, 
several examples of MTC problems have been formalised and proofs have been exhibited using 
the LCF proof-checker. However, in these examples, there has been a certain amount of ad-hoc- 
ery in the proofs; namely many mathematical theorems have been assumed without proof and ho 
ax iCMTiat isarinn of the mathematical domains involved was given. This paper describes a suitable 
mathematical environment for future LCF experiments and its axiomatic basis. The environment 
developed deemed appropriate for such experiments, consists of a large body of theorems from the 
areas of integer arithmetic, list manipulation and finite set theory, r 
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aim i:,',. Ashot K .Chandra and Zohar Manna. ON THE POWER OF PROGRAMMING 
FEATURES, January 1973, 29 pages. 

w, considi.T ihc powvr of several programming features such as counters, pushdown stacks, 
queues, arrays, recursion and equality. In this study program schemas are used as the model for 
computation. The relations between the powers of these features is completely described by a 

comparison diagram. 

AIM-186. Rohm Milner. MODELS OF LC.F. January 1973. 17 pages. 

LCF is a deductive system for computable functions proposed by D. Scott in 1969 in an 
iblblmd memorandum. The purpose of the present paper is to demonstrate the soundness of 
the system with respect to certain . models, which are partially ordered domains of continuous 
functions. This demonstration was supplied by Scott in his memorandum; the present paper is 
merely intended lo make this work more accessible. 

AIM-910. Z.jlmr Manna and Amir Pnueli, AXIOMATIC APPROACH TO TOTAL 
' CORRECTNESS OF PROGRAMS, July 1973, 25 pp. 

We ..resent her* an axiomatic approach which enables one to prove by formal methods that his 
mwram is "totally correct" (i.e„ it terminates and is logically correct - does what it is supposed to 
do)* The approach is similar to Hoare’s approach for proving that a program is partially 
correct” ( 1 . t\. that whenever it terminates it produces correct results), Our extension to Hoares 
method lies in the possibility of proving correctness and termination at once, and in the enlarged 
scope of properties that can be proved by it. 
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